OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] (ex / non ex) canonical XML

I think many early implementations worked without the need for signatures (e.g. artifiact across browser and unsigned assertion on trusted back channel).

From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Tuesday, March 14, 2006 9:15 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] (ex / non ex) canonical XML



Forces beyond my control have taken me on a little trip back in time to look at SAML 1.0 (I didn’t get involved in this space until after SAML 1.1 was out so this has been an interesting learning experience for me).   I see that one of the major differences between dot zero and dot one is changing the recommended c14n method from canonical XML (http://www.w3.org/TR/2001/REC-xml-c14n-20010315) to exclusive canonical XML (http://www.w3.org/2001/10/xml-exc-c14n#).  I can see why this change was made and, although I’ve not yet had the pleasure, I can imagine that there were some interoperability problems when trying to use the non-exclusive transform.  My question is - how did SAML 1.0 implementations deal with this?  Were they only able to interoperate when signatures where applied to the response in the post profile?  What is the value of a signed assertion if the signature cannot be verified independent of its original document context (I guess there isn’t one and that’s why 1.1 made the change but did implementations try to work around it somehow)?  Did implementers end up just using exclusive in spite of the spec recommendation?  


I would appreciate any historical perspective that can be provided by those of you that have been involved with stuff longer than I.





By the way, the sstc-saml-diff-1.1-draft-01 document has proven to be a very informative resource - I’d like to say thanks to Prateek, Dipak, Jahan and Robert.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]